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Smart Meter Research Findings 
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Research Disclaimer 



• Yes, I conduct assessments on AMI 
components 

• No, I will not tell you for which 
clients 

• No, I will not tell you which vendor 
products I have analyzed 

• Yes, many of these images are 
generic 

a 


Copyright 2012 InGuardians, Inc. 



Danger Electrocution 



I am not responsible for your actions. InGuardians, Inc. is not responsible for your actions. 



Random Image Taken From: http://www.flickr.com/photos/lwr/132854217/ 
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Permission-based 
Research / Penetration Testing 



Unauthorized Testing Is Illegal EVEN IF THE METER IS. QK YOUR HOUSE . 
Getting Permission For Research IS NOT IMPOSSIBLE. Contact Vendors. 

I am not responsible for your actions. InGuardians, Inc. is not responsible for your actions. 
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Agenda 



• Purpose 

• Smart Meters 

• Criminals and Smart 
Meters 

• Attack/Assessment 

• Optical Tool 

• Mitigations 


Not So Random Image Taken From: http://www.willhackforsushi.com/?p=349 



Copyright 2012 InGuardians, Inc. 








Purpose: Presentation and Toolkit 

• Smart Meter data acquisition techniques 
have been known since January 5, 2009 

- Advanced Metering Infrastructure Attack 
Methodology [1] 

- Some vendors/utilities/people/teams are still not 
aware 

• Tools to: 

-Test functionality 
-Validate configuration 

- Generate anomalous data 

_ [ 11 http://inguardians.com/pubs/AMI_Attack_Methodology.pdf 
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Utility Back Office Network 


What Criminals Can Attack 
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• Access and change data on meter 

• Gain access to wireless communications 

• Subvert field hardware to impact internal 
resources 
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Criminal Interest 



Free or Reduced Energy ^- 

Corporate Espionage 
Access To Back-End Resources 
Non-Kinetic Attack 


HAS ALREADY 
OCCURRED VIA 
OPTICAL PORT 


Hacktivism 
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Aggregator On Poletop 
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Only One Winks At You 



Copyright 2012 InGuardians, Inc. 


12 











Where To Start? 



Steal This? 

State of Texas: Class B Misdemeanor Theft - $50 to $500 
Jail <180 Days and/or Fine <$2000 



Meter near my barber shop. The exposed contacts scared me. 
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Components and Interaction 

DANGER!!! 




Data At Rest 

- Microcontrollers 

- Memory 

- Radios 

Data In Motion 

- MCU to Radio 

- MCU to MCU 

- MCU to Memory 

- Board to Board 

- IR to MCU 


Image Take From: http://www.ifixit.eom/Teardown/XXXXXXX-Smart-Meter-Teardown/5710/l 
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Pi Pi Pi Pi 


Data At Rest 


SPI/PC Serial/ 
Parallel EEPROM 
PDIP/SOU/SOIC 





1 


3 

4 


8 Zbvcc 
7 Ibwp 


6 

5 


IbsCL 

^SDA 
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N AND/N OR/NVRAM/S RAM/ 
CellularRAM/PSRAM/SuperFlash/ 
DataFlash - BGA/FBGA/VFBGA 
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Dumping Memory 



Total Phase Aardvark 
Flash Utility 
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Memory Layout Logic 


• Data Storage Standards 

- C12.19 Tables in Transit 

• Standard Tables - 
formatted and documented 

• Manufacturer Tables - 
formatted but not 
externally documented 

- Custom 

• Obfuscated Information 
and Tables 

• Extended memory for 
firmware 

• SWAP Space 


,/ spedal_meter.bin - Okteta .v; 

File Edit View Windows Bookmarks Tools Settings Help 

w New „ • °p en yy Save As > 


spedal_meter.bin Q 


0000:0000 00 51 52 00 00 00 51 52 00 00 00 00 51 52 00 

Tor. . .or.or. 

0000:0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


0000:0020 01 B6 06 56 10 00 00 00 00 0B 00 00 03 00 00 00 

IV . 

0000:0030 O0 00 00 00 00 00 00 00 00 00 00 E2 48 B7 91 00 

.aH . . 

0000:0040 OF 51 00 00 00 00 00 00 00 9C 86 3E 93 58 34 00 

.0 . >.X. . 

0000:0050 00 00 00 00 00 07 17 09 00 00 00 00 00 FF FF FF 

.yyy 

0000:0060 FF FF FF FF FF 70 1A IFF 00 01 6E 14 00 24 59 00 

yyyyyp.y. .n. .$Y. 

0000:0070 O0 00 00 00 00 00 00 00 00 00 00 00 00 00 62 FD 

.by 

OFFset: 0000:0000 Selection:- 

OVR 


ANSI C12,19-2008 


American National Standard 
For Utilitv Inclustrv 

J J 

End Device 
Data T ables 
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Data In Motion 
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Data Eavesdropping - Step One 




Simple Tapping with Logic Analyzer 
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Data Eavesdropping - Step Two 


Persistent tapping by 
soldering leads to 
components 



Provides consistent 
monitoring for research 
and development 
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ANSI C12 Communication Protocols 



ANSI 02.18-2006 

American National Standard 

Protocol Specification for ANSI 
Type 2 Optical Port 

02.18: Is Okay - 
because you know 
what you are 
getting. 


02.21: Is Worse- 
because people ANSIC12 - 22 - 2008 

think it is “secure” 

American National Standard 

Protocol Specification 

For 

Interfacing to Data 
C ommuni c a tion N e tworks 


f^eiicsn Nar^ 






ANSI C12.21-2006 

American National Standard 

Protocol Specification for 
Telephone Modem 
C ommunic a tion 


02.22: ANSI 
committee has 
stated vendors 
should be 
implementing this 


Copyright 2012 InGuardians, Inc. 


21 




Logic Analyzer - Async Serial 



• Analyzers can decode digital signal 

• Export data to CSV formatted files 



C12.21 

Identification 

Service 

Response 

Packet 



End-of-list 


Standard 
0x00 == 02.18 
0x02 == Cl 2.21 


Version 


Revision 
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C12.18 Packet Basics 



Cl2.21 Identification Service Request Packet 


2 

3 

4 

5 

6 

7 

8 

9 

10 


Time [s] 

Value 

Direction 

Field 

70.635036 

OxEE 

Metro-RXDO 

,stp.t; 

70.636078 

M0 

Metro-RXDCf 

ident ^ 

70.637119 

0x20 

Metro-RXDO 

cntl ^ 

70.638161 

0x00 

Meiro-RXDCf 

Seq-nbr«- 

70.639203 

0x00 

Metro-RXDO 

lenO 

70.640245 

Mi 

Metro-RXDO 

lenl 

70.641286 

0x20 

Metro-RXDO 

identify ^ 

70.642328 

M2 

Meiro-RXDCf 

crcO ^ 

70.64337 

0x70 

Metro-RXDO 

crcl 


Start packet character 

Identity 

Control Field 

Sequence Number 

Length 

Data 

- Identification Service 

CCITT CRC 
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C12.18 Protocol Basics 




D19 


- (“ 


- E 

A 

B 

c 

L o 

- 

1 

Time \s] 

Value 

Direction 

Field 

Notes |=| 

k 2 

70.635036 

OxEE 1 

Metro-RXDO 

stp 

:. 

3 

70.636078 

0x00 

IMetro-RXDO 

ident 


4 

70.637119 

0x20 

Metro-RXDO 

end 


5 

70.638161 

0x00 

: Metro-RXDO 

Seq-nbr 


6 

70.639203 

0x00 

IMetro-RXDO 

lenO 


7 

70.640245 

0x01 

IMetro-RXDO 

lenl 


S 

70.641286 

0x20 

IMetro-RXDO 

identify 


9 

70.642328 

0x32 

IMetro-RXDO 

crcO 


10 

70.64337 

0x70 

IMetro-RXDO 

crcl 


11 

.70.698406 

0x06 

InG-TXDO 

ack 


12 

70.727682 

OxEE 

InG-TXDO 

Stp j 


13 

70.7287251 

0x00 ' 

InG-TXDO 

ident 


14 

.70.729767 

0x20 

InG-TXDO 

cntl 


15 

70.73081 

0x00 

InG-TXDO 

Sec^nbr 


IS 

70.731852 

0x00 ' 

InG-TXDO 

lenO 


1/ 

.70732895 

0x05 

InG-TXDO 

lenl 


18 

70.733937 

0x00 

InG-TXDO 

ok 


19 

.7073498 

0x00 ' 

InG-TXDO 



20 

.70736022 

0x01 

InG-TXDO 



21 

70.737065 

0x00 

InG-TXDO 



22 

70.738107 

0x00 

InG-TXDO 



23 

70.73915 

OxFF 

InG-TXDO 

crcO 


24 

70.740192 

0x42 

InG-TXDO 

crcl 1 


25 

70.7855631 

0x06 

IMetro-RXDO 

Lack 


2S 

70.790667 

OxEE 

IMetro-RXDO 

stp j 


27 

. 70791709i 

0x00 1 

Metro-RXDO 

ident 


28 

70.792751 

0x00 

IMetro-RXDO 

cntl 


29 

70.793793 

0x00 

: Metro-RXDO 

Seq-nbr 


30 

. 70794835 

0x00 ' 

IMetro-RXDO 

lenO 


31 

707958761 

0x05 

IMetro-RXDO 

i lenl 


32 

70.796913 

0x61 

Metro-RXDO 

[negotiate i 


33 

. 7079796: 

0x01 | 

IMetro-RXDO 



34 

70.799001 

0x00 

Metro-RXDO 









H i 

i ► w COMBINEDfi] 

4 

n 

► 

Ready | 

|g0 El 10Q% © 

1 - © ,! 


02.18 Request/Response 
Pattern 

- Identification 

- Negotiation 

- Logon 

- Security 

- Action (Read, Write,, 
Procedure) 

- Logoff 

- Terminate 
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CSV Parser Functionality 


trunk: bash 


v ^ X 


File Edit View Bookmarks Settings Help 


cutaways* python cl2_18_csv_parser.py -h 
Usage: 

cl2_18_csv parser.py -rxd <file> -txd <file> [-h] [-m] [-0 <file>] 

-h -> Enable Help mode 

-rxd -> A CSV file that contains the response portion of data transmission 

-txd -> A CSV file that contains the request portion of data transmission 

-m -> Generate an output file that is marked according to the ANSI C12.18 
standard. This output may fail if the file contains errors 
-0 -> Name of the output files. This will be renamed to contain the 

date and time to make the file unique. The filename will also be 

marked with COMBO for a normal combined output and COMBO-MARKED for 

the file marked according to the ANSI C12.18 standard. 

This program is designed to parse CSV data from a Saleae Logic Analyzer. 

The input files should contain the hex byte output from the Async-Serial 

analyzer. This data should follow the ANSI C12.18 packet structure. 

|This tool will generate a combined CSV file that has been sorted. If 

specified, the tool will also mark the bytes according to the ANSI 

C12.18 standard. 
cutaway> | 


trunk: bash 


Copyright 2012 InGuardians, Inc. 


25 










Replay Tables To Talk To Tables 


File Edit View Bookmarks Settings Help 


Ciz 18 fuzz client.py rl7 IT |inrl i I py B 

S Requests 

ident = [ , \xee\x00\x00\x00\x00\x01\x20\xl0\xl3' , , \xee\x00\x20\x00\x00\x01\x20\x82\x70'] 

nego = [ 1 \xee\x00\x00\x00\x00\x05\x61\x01\x00\x01\x06\xb8\x25 1 , 1 \xee\x00\x20\x00\x00\x05\x61\x01\x00\x01\x06\x81\xd2 1 ] 
logoff = [ 1 \xee\x00\x00\x00\x00\x01\x52\x86\x40 1 , 1 \xee\x00\x20\x00\x00\x01\x52\xl7\x20 1 ] 

# Responses 

ident_n= [ 1 \xee\x00\x00\x00\x00\x05\x00\x00\x01\x00\x00\xc6\xb5 1 , 1 \xee\x00\x20\x00\x00\x05\x00\x00\x01\x00\x00\xff\x42 1 ] 

negor = [ 1 \xee\x00\x00\x00\x00\x05\x00\x01\x00\x01\x06\x4f\x8f 1 , ■ \xee\x00\x20\x00\x00\x05\x00\x01\x00\x01\x06\x76\x78 1 ] 

ok_r = [ '\xee\x00\x00\x00\x00\x01\x00\xll\x3r , , \xee\x00\x20\x00\x00\x01\x00\x80\x51'] 

err_r = [ 1 \xee\x00\x00\x00\x00\x01\x01\x98\x2@ 1 , ■ \xee\x00\x20\x00\x00\x01\x01\x09\x40 1 ] 

sns_r = [ 1 \xee\x00\x00\x00\x00\x01\x02\x03\xl2 1 , 1 \xee\x00\x20\x00\x00\x01\x02\x92\x72 1 ] 

isc_r = [ 1 \xee\x00\x00\x00\x00\x01\x03\x8a\x93 1 , 1 \xee\x00\x20\x00\x00\x01\x03\xlb\x63 1 ] 

onp_r = [ 1 \xee\x00\x00\x00\x00\x01\x04\x35\x77 1 , ■ \xee\x00\x20\x00\x00\x01\x04\xa4\xl7 1 ] 

iar_r = [ ' \xee\x00\x00\x00\x0@\x01\x05\xbc\x66 1 , 1 \xee\x00\x20\x00\x00\xBl\xB5\x2d\x06 1 ] 

bsyr = [ ■\xee\x00\x00\x00\x00\x01\x06\x27\x54' , , \xee\x00\x20\x00\x00\x01\x06\xb6\x34 1 ] 

dnr_r = [ '\xee\x00\x00\x00\x00\x01\x07\xae\x45' , 1 \xee\x00\x20\x00\x00\x01\x07\x3f\x25 1 ] 

dlk_r = [ 1 \xee\x00\x00\x00\x00\x01\x08\x59\xbd 1 , ■ \xee\x00\x20\x00\x00\x01\x08\xc8\xdd 1 ] 

rno_r = [ 1 \xee\x 00 \x 00 \x 00 \x 00 \x 0 i\x 09 \xd 0 \xac 1 , 1 \xee\x00\x20\x00\x00\x01\x09\x41\xcc 1 ] 

isss_r = [ 1 \xee\x00\x00\x00\x00\x01\x0a\x4b\x9e 1 , 1 \xee\x00\x20\x00\x00\x01\x0a\xda\xfe 1 ] 

# Wait can be sent as a requestor or a responder 
wait = [ \ 

[ ' \xee\x00\x00\x00\x00\x02\x70\x01\x68\xff 1 , ' \xee\x00\x20\x00\x00\x02\x70\x01\x08\x7a ' ], \ 

[ 1 \xee\x00\x00\x00\x00\x02\x70\x02\xf3\xcd 1 , 1 \xee\x00\x20\x00\x00\x02\x70\x02\x93\x48 " ], \ 

[ ' \xee\x00\x00\x00\x00\x02\x70\x03\x7a\xdc 1 , ■ \xee\x00\x20\x00\x00\x02\x70\x03\xla\x59 '], \ 

[ 1 \xee\x00\x00\x00\x00\x02\x70\x04\xc5\xa8 1 , 1 \xee\x00\x20\x00\x00\x02\x70\x04\xa5\x2d 1 ] \ 

] 

terra = [ 1 \xee\x00\x00\x00\x00\x01\x21\x9a\x01 1 , 1 \xee\x00\x20\x00\x00\x01\x21\x0b\x61 1 ] 

######* *********** *###### 

# Unknown Sequences 

# Two versions are provided to handle different control bytes 

# CNTL Byte needs to alternate 

logonreqnames = [ 1 Identification 1 , 'Negotiation 1 , 1 Logon 1 , 1 Security' ] 

logon_req_seq = [[ident [0] p nego[I] r logon [8] r security [1] ] p [ident [1] r nego [8] r logon [1] .security [8] ]] 
logonresp names = ['ID Response' , 'Nego Response' , 'OK' , 'OK' ] 

logon_resp_seq = [[ident r[B] .nego_r[l] P ok_r[8] P ok_r[l]], [ident_r[l] P nego_r[8] P ok_r[l] P ok_r[8]]] 

56,1_11% | 


■ 


memory djmp: vim 


trunk: vim 


H 


memory dump: bash 
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Advanced Persistent Tether 



Serial Transmitter 

- Receive possible 

Replay 02.18 Packets 
02.19 Table Interaction 

- Read Tables 

- Write Tables 

- Run Procedures 

Receive Responses via 
Logical Analyzer 

Parse Responses by Hand 
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Hardware Client Functionality 



-a <action> [-t <num>] 


|B| trunk: bash <2> 

File Edit View Bookmarks Settings Help 


cutaways* python cl2_18_hw_client.py -h 

Usage: cl2_18_hw_client.py [-h] [-D] [-P <num>] [-f <file>] [-no] 
[-d <num>] [-p <num>] [-s <data>] [-Ip <comma separated lists*] 

-h: print help 

-D: turn on debugging statements 
-P <num>: Start pause seconds 
-a <action>: Perform specific action: 
test_login 

read_table: requires -t and table number or defaults to 0 
read_decade: requires -d and decade number or defaults to 0 
run_proc: requires -p and procedure number or defaults to 0 
-f <file>: select configuration file 
-t <num>: table number 
-d <num>: decade number 
-p <nums>: procedure number 
-s <datas>: data for sending 

-Ip <data>: comma separated list of procedure numbers 
-no: turn off negotiation attempts 


NOTE: This tool is fire and forget. You will need to monitor the hardware lines 
with a logic analyzer to determine success and failure or to read data. 


v X 


D 

v 


trunk: bash 
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Wink! Wink! Wink! Wink! 
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Lean In For A Closer Look 
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ANSI Type 2 Optical Port: 
Not Your Typical Infra-red Port 





Remote Control 
Devices 


Provides 
/dev/ttyUSBO 
via FTDI chip 
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Open Source Optical Probe? 




I guanaWork s 

Gainesville, Florida 

http ://iguanaworks .net/ 




001100000101001111000111111001110011010000110010000101 110001000100000010110100111110000110010101000110110 

01110111010100100100001100011011011010011110 H: 1101010111100111111000001110100 111 100100000 

11011010000001001010011101111001111010 11010101001111111111110100011001011110 
111011101001110000000000101001011 10100101001011100101101100011 1101111110110001100010010010010111 

10110001101100101001000011101 00000111001000100011011110010011000100011111 10111110111101100010011011001 

01100010010010010100111111 0011010001100010110111101101101010111101101111011001001 100110010111001010100101001 

10101000001011110001010 100100011111111110111110100001010011010100010100000110111011001 00011001101011111101100 

111011111010101110100 001100110000101011001111111001 000001001100110011100011001001 11011110110101100110 
110101111010011001 0010000101110011001001110001 1000110100100100100110100000 110010001001111000 
0101100000111101 1110001110001100010111000100 11010X1100110010110101111110 0001101100110111 

00001000001110 0010100111010011111111110101 0110011011111011011111010100 01111000101001 


011110110111 

0100101111 

111100110 

11101010 

011100 


00111 


1010001011011110111101001101 
10000010000011111100000000011 
000100100100111000100110111110 
001110110011111111001001011101 
1101001101100100101101011011001 


1011 


11111100011101111110000110011011 
101010101011011000100110000110111 
01110110100101000111000101111110 
1000011001110110100001100010100 
1100000100000101110111110000011 
01100000010000011011000011101 
1001000010101100110101010000G 


101 


1111 


001101110000000010011101010 
10101101011101101000000101 
000100111101000001011100 
<0000100001010100000011 
1010010101010101101111 
1111010011101110001 
110001011001101110 
1110111000001111 
1000000111011001 
0011011110001000 
10110011100001111 
010100110111001101 
011011100101100100 
1000101101011000001 
0001011011111101101) 


<0111111101011100100000011001 011010101111 
10010010011001101000010110101 0100100000 
000111100100001100110000000011 001000100 
000111100011001111000010111001 11001100 
<0100010111001101110110010010001 000110 
00000111100011000001101110010101 00000 
001110011011101100001000001001111 0000 
00111001001001110010110001110110 1010 
0010111101010011100100101000111 010 
010110011111001011111010000001 00 

00111000111000011000010110110100001 11011001000101010101000010110 01 
00110101100001110100010010001100001010 <1010111110010100100001000000 0 


1000010111111) 

001100111001101011 

<111111110101101110110 

10100010110100100111011 

<0111010101001110100110011 

00010010101011000000011101 


11000 

110000 

00101101 

100011100 

1101010001 

111111111011 


<1101110011111101010 

11000111011001100001 

01000011111101010000 

11011111100000010010 

1110000001101000111 


00100000101010011101110010100001111111010C< 
00101001101101100000111000111111010111101000 
0 10101100110110110010101110010000101000000010000 
100001111001100001001010001101000010010010111111001 
001101010101001001110100110110110000000101001001101011 
G1010QG11000010101Q0101 L 000110110000101010011010111000 

1101 <101100 0011111011000111110 • 10101 

mio no loioiom liinoiooiooioooioiooi 00110 

01000 101 1000000110110010111 01011001011) 01 10100 
11110 0011001101001011100 <01111 10100 
101000000001100000000111111000110 110001011) 1010100 
0 1001010000000101101000101111100101010000000110010100100 
01101010010111000100100010110100110100111010100110101 
QllllOOOOlOOOlllllllllllOlOlllOlllOlllOOOOlOlllGOO 
1000000000000000011010101111101011001011010111 


10010000011101100011101110000101101011011111 
0101100000110000011110011000011110110000 
1000000010011111110110110001110000001 

1000100010011110011101101000110101 


111111101011000001111110000 

10011010011110100000111110 

010011100000111100000000 

00000011000110111011010 

0000010000010101110110 

<00101100001111110101 

011110011011001111 

0100000110111001 

1011000010100001 

1110011010101100 

100110101011011001 

011111000001011111 

•000100101001010110 

1001000100001000001 

11111001000111111101 


1110 


00101 


00001000100101 
1000101101001000 
100011011000111000 
01101111101011011001 
01010011110000001111010 
01001011001000011111010010 
11011110100100000100001010010 
110010100111011101100101001001111 
00000000101000001011000010110010010011 
10101010000110100001111011101011010110000011 
011110011010001000011100001111100010000011000001001001 


1000011001011110000100001011101101000111110101011001100001110000011101010110 
110101100010111000011001111100000010000110011110100100001110101011001 
1000001011001100000111110110110111111111101100001111001100011001 
1111100011111000101010101011101110110101011101001100010 
11111100101100000111010010000101100110100010 o 
011010100001001001110001001011 


01010011100100110000 
11100000011101111010 10011001 
01111001000101011001 101101011 
11111011010000011000 1010010100 
<1011111110011100010 011101100001 
1010010100011111100 11010011101011 
100011111011110010 1001101110101000 
001101011101110001 
100111111101011010000 
00010111011101010000111 
00111100101001101101001010 
01000110011101000001101010101 
101000011110100001110111100011101 
11010100111000110001111111011011000001 
101011010110100101000111001101110100001100001 
10011011000011100101011110101000011011001001011011011 


Copyright 2012 InGuardians, Inc. 


32 
















• Serial Transceiver Driver 

• C12.18 Packet Driver 

• C12.18 Client 

-Reads and parses C12.19 Tables 
-Writes to C12.19 Tables 
-Runs C12.19 Procedures 
-Easy Function Updates 
-Easy Access To All Functions 
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OptiGuard 
A Smart Meter Assessment Toolkit 









Permission-based 
Research / Penetration Testing 



Unauthorized Testing Is Illegal EVEN IF THE METER IS ON YOUR HOUSE . 
Getting Permission For Research IS NOT IMPOSSIBLE. Contact Vendors. 

I am not responsible for your actions. InGuardians, Inc. is not responsible for your actions. 
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OptiGuard Menu 



HI (fei trunk: python '•£/ 

File Edit View Bookmarks Settings Help 



Notes 

- Requires a VALID C12.18 
Security Code to modify 
tables or run procedures 

- Currently only works with some 
meters 

- Vendor specific functions may be 
required 

- C12.18 functions are coded for 
easy implementation and 
modification 

- Optical transfer is finicky and 
fuzzing / brute forcing is hit or 
miss and must be monitored 

- Brute force procedure runs have 
been known to 
disconnect/connect meters 

- Brute force procedure runs have 
been known to brick meters 


Copyright 2012 InGuardians, Inc. 


36 























Using The Eye Chart 



• Can check one code ~ every 2 seconds 

• 12277 x 2 seconds = 409 minutes = 6.8 hours 


• Hmmm, are failed logons logged? 

• Does the meter return an error after N attempts 
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Open Wide for a Deep Look Inside 
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Random Image Taken From: 

http://www.gonemovies.com/www/Hoofd/A/PhotoLarge.php?Keuze=KubrickClockwork 
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Mitigations - General 



• Residential meters on businesses 

-Evaluate for increased risk to client 

• Limit Shared Security Codes 

-Difficult to implement a single security 
per meter 

-Can vary in numerous ways: 

• Vendor 

• Commercial and Residential meter 

• Zip Code 
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Mitigations - General (2) 



• Incident Response Planning 

-Prioritize Critical Field Assets 
-Incident Response Plan and Training 

• Employee Training 

-Identify 

- Report 

- Respond 
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Mitigations - Physical 



• Tamper Alerts 

-May seem overwhelming, initially 

-Experience will identify correlating 
data to escalate appropriately 

• Toggle Optical Port 

- Use a switch that activates optical 
interface 

- Should generate a tamper alert 
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Mitigations - Data At Rest 



• Secure Data Storage 

- Encryption <- must be implemented properly 

- Hashes <- must be implemented properly 

• Configuration Integrity Checks 

-Vendor Specific 

-Some solutions systems already do this 

-Meters should function with old 
configuration until approved / denied 
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Mitigations - Data In Motion 


• IR Interaction Authorization Tokens 
-Breaking or Augmenting Standard? 

• Microcontroller to <INSERT HERE> 

-C12.22 

-Obfuscated Protocols 
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OptiGuard Offspring? 



• Wireless Optical Port Readers 

- Small cheap magnetic devices activated wirelessly 

• Optical Port Spraying 

- IR interaction without touching meter 

• Wireless Hardware Sniffers/MITM 

- Detect updates and modify data in transit 

• Neighborhood Area Network FHSS 
Eavesdropping 

- Channels, Spacing, Modulation, Sync Bytes, Etc 
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Vendor Participation 



• The following people helped out in 
various important ways during this 
journey. 

-Ed Beroset, Elster 

- Robert Former, Itron 

- Others who have asked not to be 
named 
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Those Who Must Be Thanked 



Gretchen, Garrison, 
and Collier Weber 

Andrew Righter 

Atlas 

Daniel Thanos 
John Sawyer 


Joshua Wright 
Matt Carpenter 
Tom Liston 
Travis Goodspeed 
InGuardians 
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Tell Them Cutaway Sent You 



G0 101100011 
G 101110Q 11 18llfl 
GG1O110OO1OG 
100001011111DQ 
GG10G111010G1 
110OOO1111O1 
1111011101 
1000 10 1G 


101100 

0101101100 

111101010110 

11100101110 

00 

001 

G0G1 


1001 


11 


0GOQ0010 

0O01101G01Q10O101 
0011111G11100100100 
100101 0011101110G1G00111101111 
010101111011 1001101011111001 
1111 10001 11010 10 11010 100001001101 
100 1G000 1 1 101G0001011111 S00 1001 
00 1000 1 10 GO 1010G0O0 10 1001 10 11 10G 
00G1G01101110111000 10 101000 11 1010 
0111 11 1001001011010101101111 
00 10110010101G 1G 11 

11011000G101G1111110011 
GIG 1101000111100 1010 110 
111G1110011111001G1011 
101100G10G1G0G010 110 101 
11110011101011011000110 
00 110011011000100001000 11 
0011001010GO000G0 11 100 1G1 
111101 100 0100 1 10 1000 10GG 1G 1 10 100 

00110011011 1101110100 01 10GG0 10G 11111 

1111100100110 GO 1111011 10000' 1G0D01 10001G 
G0110000111110 101G1 110110 1G100G 


11G 

100111 G0 11000O11111G 101G1 11011G 101000 1010111 

1101111 1G00G0010111111 0GG11 001000 1GG0G1011000 1100 

11111111111G0 110G0G10O010110 010GG1 01101 GOll 11101 

1110111GD11000000 111 010000 11GG01 '000 1110001 101100 11 

111000100G 10G0G10011 1 11 10011 1101100 GO 0001 

111101011110' 00001100 10 11G0010 1000'• 100 1100 1 1111010 111G 

1001000101011 11101111 OG0G0 10 111100G10O0G 111000 110111 1111 

1110011000001 11OGOG10 "100000G1110 110G000001110110O1 10000 111001 11 

@11111 1G0 0 111011G0G0 1" 10 1100 1G0G110110 1000000 11 10000 110000011111011 0110 1 10 

0101100011 100@1011G111@00100100101110G0G1000111001G0100GG001101010 1101 Gil 

01 0100 1G11101 0011110100111110 10000 111111011111110011110111111100110110 101 

11 1100111G 11GGGG 11G111 1GGGG1G11 1GG101GG11GG11GG0111GG 1110 1000110 1G 1 O 

0111 011 .0010110000 101111000100G1G1 10 1000000111111G1 1000 


0011 


10 

GOG 


@010001011010011110101101101111011111: 
1011000111010 G11G101110000010 1GGG11 
@101111011011 1G0G 1G100G1 100010 110G 
G1100110G G0 10O0 1110110001 1001 
1 O000 111011 1011111G 1G 1 
OG101 110G0G0100 1100101 

111G01G 1 1G0101000 11 1G0G1 00101101100 110 

0000101 1001000 11 10001101100011011111100111 100000111 
01101111001 10000 1O01 100 1 101G111 1000 101 1 1G10G0 1 100 1 1G1 1 
0111100000GO111G1G011 0 110 101100G0 1( 111] 


1100 

111 

0000 

00111 

01100 

0010 

1011 


110 


0011100010 

G010111 

1O11G00O0101 


100100000011110G0G1010 
000000011 @010011011100100 
1100000011 10G11110G0001111 

1GGG10 11 1G@ 10G1G11111101000 
110 1000 1100001G0G0 1101 
00011010G00G111G1G11 
001100010010110011001 
1011001100110100011 
111G110001GG11GG1GG0I 
1 10011100 1GGG1001001 
iGlllli 110100111010000 


I0G1G01O0 100000001! 
.101110G 111 1010 IOC 


1G0 

111001 

1G001 

100G1101 

11111G 


L0100G1GG 111 IOC 
101010 10 10GG It 
<0100001010110 


1101010101111110010101011100011101: 


I 10111 
0G010110 
1010 


001100000101001111000111111001110011010000110010000101[ 1100110001000100000010110100111110000110010101000110110 

0111011101010010010000110001101101101001111001 001101010111100111111000001110100111100100000 

110110100000010010100111011110011110100 11010101001111111111110100011001011110 

1110111G1G01110000000GGG1010010111 01G1001010010111GG101101100011001 110111111011G00110001001GG10010111 

101100011011001010010000111G10 @00001110010001000110111100100110001000 1111It 010111110111101100010011011001 

01100010010010010100111111 00011010001100010110111101101101010111101101111011001001 100110010111001010100101001 
10101000001011110001010 0100100011111111110111110100001010011010100010100000110111011001 00011001101011111101100 
11101111101010111010 001100110000101011001111111001 1000000100110011001110001100100 11011110110101100110 
110101111010011001 000100001011100110010011100011 1000110100100100100110100000 110010001001111000 
0101100000111101 1110001110001100010111000100 11101011100110010110101111110 @001101100110111 
00001000001110 0010100111010011111111110101 0110011011111011011111010100 01111000101001 


011110110111 1010001011011110111101001101 
0100101111 10000010000011111100000000011 
111100110 0G@100100100111000100110111110 

11101010 001110110011111111001001011101 
011100 0110100110110010010110101101100 

00111 11111100011101111110000110011011 

1011 10101010101101100010011000011011 
010 01110110100101000111000101111110 
111 1000011001110110100001100010100 

10 100000100000101110111110000011 

01 01100000010000011011000011101 
1 1001000010101100110101010OO00 


1000010111111 
001100111001101011 
011111111010110111011 
10100010110100100111011 
0011101010100111010011001 
00010010101011000000011101 


00111111101011100100000011001 011010101111 
10010010011001101000010110101 0100100000 
000111100100001100110000000011 001000100 
000111100011001111000010111001 11001100 
00100010111001101110110010010001 000110 
00000111100011000001101110010101 00000 
@01110011011101100001000001001111 0000 
GOll1001001001110010110001110110 1010 

0010111101010011100100101000111 01G 

0101100111110010111110100000010 G0 

001110001110000110000101101101000010 11011001000101010101000010110 1 

00 1101011000011101000100100011000010 10 G1010 111110010100100001O0O000 0 


1 001101110000000010011101010 
1 101011G1G11101101G0GGGG101 

0O001001111010000010111O0 
000001000010101000000111 
1010010101010101101111 
1111010011101110001 
110001011001101110 
1 11101110000011111 

1 1000000111011001 

00 0011011110001000 

00 10110011100001111 

100 010100110111001101 
101 0110111O010110O1Q00 

1111 1000101101011000001 
11000 00010110111111011011 
110000 01101110011111101010 
00101101 11000111011001100001 
100011100 01000011111101010000 


00 1O00001010100111011100101000011111110 100 
00101001101101100000111000111111010111101000 
0101011001101101100101011100100001010000000 10000 
0100001111001100001001010001101000010010010111111001 
001101010101GG100111010011G110110000000101001001101011 
01010001100O010101@01011 0001101100001010100110101110000 

1101 @01011000 @0111110110001111100 10101 
11110 110 101010101110 1111101001001000101001 000110 
01000 10101000000110110010111 010110010111 01 10100 
11110 011001101001011100 ''10011111 101001 
10 1O0000O001 1000000001111110001 10 10 11000 10 11 100010 10100 

01001010000000101101000101111100101010000000110010100100 
001101010010111000100100010110100110100111010100110101 
01111000010001111111111101011101110111000010111000 
1000000000000000011010101111101011001011010111 
10010000011101100011101110000101101011011111 
0 1011000001100000111100110000111101 10000 
01000000010011111110110110001110000001 


111111101011000001111110000 
10011010011110100000111110 
0100111000001111000000000 
G0O000011000110111O11O10 
000001000001010111G11' 
00010110000111111010 
011110011011001111 
00100000110111001 
1011000010100001 
1110011010101100 
100110101011011001 
011111000001011111 
0000100101001010110 


1111001000111111101 

@1010011100100110000 

111000000111011110101 

01111001000101011001 


1110 

00101 


1101010001 11011111100000010010 
111111111011 11100000011010001111 
00001000100101 1011110110111011010 

1000101101001000 G111G101001011G0GG 


1000100010011110011101101000110101 


10011001 
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11111011010000011000 1010010100 

1011111110011100010 011101100001 

101O0101000111111O0 11010011101011 

100011111011110010 1001101110101000 


100011011000111000 10000110010111100001OO001011101101OO0111110101011001100001110000011101010110 01101011101110001 
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01010011110000001111010 100000101100110000011111011011011111111110110000111100110001100: 0001011101110101O0O0111 
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11011110100100000100001010010 J 111111100101100000111010010000101100110100010' @01000110011101000001101010101 
1100101001110111011001010010011110 "@110101000010010011100010010110 101000011110100001110111100011101 
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101010100001101000011110111010110101100000110 101011010110100101000111001101110100001100001 
011110011010001000011100001111100010000011000001001001 1110011011000011100101011110101000011011001001011011011 


Don C. Weber / Cutaway: don@inguardians.com 
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